GROSPOLINA.ORG


New Projects

Nepenthes Projects

nepenthes collects autonomously spreading malware. Please visit http://nepenthes.sf.net.
ALL patches or files are for use with nepenthes 0.2.0 tarball !

nepenthes: vuln-realvnc

about FOOBAR-MUTTER

google for FOOBAR-MUTTER,
and you will see, that it's already known, that nepenthes gives the name FOOBAR-MUTTER to the host that provides realvnc.
you should change that hostname.
where you can find it in src? grepping 'FOOBAR-MUTTER' doesn't help.
you have to grep for the hex. let's choose FOO. it looks like:
grep -rn '0x46, 0x4f, 0x4f' vuln-realvnc
if your in modules folder.
result: vuln-realvnc/vuln-realvnc.cpp:292: 0x46, 0x4f, 0x4f, 0x42, 0x41, 0x52, 0x2d, 0x4d,
section looks like this: 
288                       static const char vnc_isupport[] = {
289                                0x04, 0x3a, 0x02, 0xff, 0x20, 0x18, 0x00, 0x01,
290                                0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x10, 0x08,
291                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d,
292                                0x46, 0x4f, 0x4f, 0x42, 0x41, 0x52, 0x2d, 0x4d,
293                                0x55, 0x54, 0x54, 0x45, 0x52};
in line 292 we will replace the hostname.
with help by a quick&dirty C program, we will get e.g. for "KATSUMIS-SERVER":

                       static const char vnc_isupport[] = {
                                0x04, 0x3a, 0x02, 0xff, 0x20, 0x18, 0x00, 0x01,
                                0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x10, 0x08,
                                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d,
                                0x4b, 0x41, 0x54, 0x53, 0x55, 0x4d, 0x49, 0x53,
                                0x2d, 0x53, 0x45, 0x52, 0x56, 0x45, 0x52};
i used this dirty C src to get the hostname in hex: 
#include "stdio.h"

int i;
char foobar[]="KATSUMIS-SERVER";

int main(void)
        {
                for (i=0; i<(sizeof(foobar)-1); i++)
                {
                printf(" 0x%x,", foobar[i]);
                }
                printf("\n");
        }
now i'm waiting for attacker, that will try to hack "KATSUMIS-SERVER".
there are two articles written in german on my blog:
[nepenthes]vncmoo
[nepenthes]vncmoo final
there you can find a concept how attackers could implement this issue to detect nepenthes (by using rbot for example).
the src files are for use with the cisco-rbot i found at offensivecomputing:
vncmoo.cpp
vncmoo.h

nepenthes: symantec 06-10 addon

Description:

The nep_sym_addon.tar.gz archive holds all files needed to implement sym06-10.
The svn release at https://svn.mwcollect.org only binds to port 2967.
This release binds to all ports mentioned in "vuln-sav.conf".

Download:

nep_sym_addon.tar.gz

nepenthes: malformed URL port patch

Description:

target : DownloadManager.cpp
nepenthes cares about ports > 65535... but why ?
A worm using this issue would not be downloaded by nepenthes
This patch uses modulo to calculate the port.
! Your nepenthes could be detected if you are using this patch.
Thanks to common giving this hint.

Download:

DownloadManager.patch

nepenthes: ignore 172 bytes hexdump

Description:

target : Utilities.cpp
nepenthes stores unknown requests in ./var/hexdumps as binary
All 172 bytes binaries are just logins (bruting or password list based)
I was looking for a way to get rid of them.
My solution adds a few lines below the "zero length ignore" into the ./nepenthes-core/src/Utilities.cpp

Download:

Utilities.patch

Main Page
All patches or files are for educational purposes only.
They are mainly tested, but nobody is perfect ;).
We will not instruct you how to patch or overwrite.